- Add auth HTTP handlers (login, me, logout) with proper JSON responses
- Enforce HS256 via jwt.WithValidMethods to prevent algorithm confusion attacks
- Add context helpers for extracting operator ID and role from JWT claims
- Add comprehensive auth test suite (11 unit tests + 6 integration tests)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Clock API routes: start, pause, resume, advance, rewind, jump, get, warnings
- Role-based access control (floor+ for mutations, any auth for reads)
- Clock state persistence callback to DB on meaningful changes
- Blind structure levels loaded from DB on clock start
- Clock registry wired into HTTP server and cmd/leaf main
- 25 tests covering: state machine, countdown, pause/resume, auto-advance,
jump, rewind, hand-for-hand, warnings, overtime, crash recovery, snapshot
- Fix missing crypto/rand import in auth/pin.go (Rule 3 auto-fix)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Go module at github.com/felt-app/felt with go-libsql pinned to commit hash
- Full directory structure per research recommendations (cmd/leaf, internal/*, frontend/)
- Makefile with build, run, run-dev, test, frontend, all, clean targets
- LibSQL database with WAL mode, foreign keys, and embedded migration runner
- SvelteKit SPA stub served via go:embed
- Package stubs for all internal packages (server, nats, store, auth, clock, etc.)
- go build and go vet pass cleanly
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
